New authenticated smart-phone technology will streamline the verification of responders’ credentials in emergency management and also find many other uses.

In this Q&A with CCICADA consultant Christopher Biddle (BiddlePR), Steve Wilson, Managing Director of Lockstep Technologies in Sydney, Australia, describes in-depth the new technology his company is being asked to implement as part of the CCICADA/Kantara Initiative MDAV project. The Mobile Device and Attribute Validation (MDAV) project will speed responses to natural and manmade disasters by creating an authenticated smart-phone technology enabling emergency operations managers to instantly and securely verify the credentials of first responders.

Tell us briefly what this project is all about.

Our DHS Cyber Security Division project will create a prototype for the presentation of attributes held by, in this case, emergency responders. There is an urgent need for incident managers in the field to be assured of the credentials of mobile responders, such as hazmat certificates, clearance for working with children, security clearance, medical credentials, firearms permits and so forth.

“Our DHS Cyber Security Division project will create a prototype for the presentation of attributes held by emergency responders. The urgent need there is for incident managers in the field to be assured of the credentials of mobile responders.”

Once we solve that problem, we will move on to broader areas like healthcare, e-commerce, e-government, education, even social networking, where people should be able to have privacy and security at the same time, by being more careful with their attributes, like their networking handles and personal details.

2. How important is the MDAV project to advancing the goals of privacy and security in online cyber identification and verification transactions?

The classic approach to identity theft and identity fraud has been to pile on more identity. We’re in an arms race where users are subject to more and more identification even for basic transactions. You can’t use your credit card much anymore without having to type in your CVC—which originally was a “shared secret” and expressly meant not to be used online! And we have “Knowledge Based Authentication” where you have to type in “out of wallet” personal secrets to prove who you are, which seems designed to expose ever more valuable personal data.

What we need to do is get better at proving specific things that matter about people in specific contexts. We need ways of presenting specific attributes such that the data cannot be stolen and replayed.

What we need to do is get better at proving specific things that matter about people in specific contexts. We need ways of presenting specific attributes such that the data cannot be stolen and replayed. That’s what we do here at Lockstep Technologies. Our “Stepwise” innovation equips individuals with wallets of verified discrete attributes which they can present one by one during transactions or, in many cases, have the software do the presenting for them automatically.

For example, a user can have their age, residential address, health ID(s), employee number, professional qualifications, payment details, social media handles, and any number of customer reference numbers all held discretely in wallets on appropriate smart devices—and have only specific, relevant attributes presented separately to parties that need to verify them.

Stepwise conveys exactly which authoritative source has vouched for each attribute, and also proves that the attribute has been carried on a specific type of smart device. The “provenance” of personal information is increasingly vital for risk-based authentication. The “Replying Party” who needs to know an attribute value might prefer one type of attribute issuer over another, or they might want to know that a particular type of wearable device was used to convey it. With Stepwise, that level of detail is baked into the individual’s mobile device and then conveyed securely, one-on-one, so those who depend on attributes can be sure where they came from and how they’ve been safeguarded.

There is a strong trend in identity management towards attributes. Concrete attributes are easier to ‘federate’ (i.e. rely upon) across different contexts than are abstract identities. The focus now is more on what you are than who you are.

3. How does this project extend the work you have already done in the area of cyber security

Personally, I’ve worked in digital identity for over 20 years, starting with Public Key Infrastructure (PKI) pioneer Security Domain, which went on to become Baltimore Technologies. And I worked with a series of early certification authorities at KPMG and PwC, where we tried to innovate the “supply chains” for PKI services.

We are focusing on embedded digital certificates all the way down to atomic attributes, so transacting parties can select just the things that matter in each context.

From the early days, PKI was preoccupied with personal identity; the industry thought there could be a single, solid-gold, personal-identity certificate. However, the resulting identification protocols and legal scaffolding become oppressive. It gave PKI an unfortunate reputation which persists to this day. The truth is that PKI certificates are more ideally suited to conveying attributes than identities.

A great deal of my work over the years has been on these more artful applications of PKI. I helped the Australian Government develop “relationship certificates” around 2006, which allowed doctors to attach their precise medical qualifications and authorities to conduct health transactions electronically. A relationship certificate says something specific and quite limited about its holder, expressing the relationship they have with the issuer.

Relationships (or memberships) are at the core of most professional and mercantile identities. For example, what makes you a doctor is your membership in, and relationship with, an official board. If that board gives you a relationship PKI certificate, it means nothing more and nothing less than the fact you have a board membership number. But that’s precisely what matters – and it’s all that matters – when you write a prescription or a diagnosis or a medical report.

In a way, Stepwise extends that philosophy. We are focusing on digital certificates all the way down to atomic attributes, so that transacting parties can select just the things that matter in each context. That results in better security, better authentication, and better privacy because it cuts back the amount of extraneous personal information that is floating around as circumstantial evidence of who someone is.

4. What particularly excites you about this project?

With keys corresponding to multiple relationships, my vision is that smart objects will automatically interact across a rich spectrum of contexts, with provenance and focus.

It’s a microcosm of these big shifts we’ve talked about in cyber space. The shift from identity to attributes and the application of embedded cryptography in smart devices. Those of us who have worked in PKI for decades have always looked for the technology to go under the covers, which is what we see now with smart technologies, mobiles, smartcards and the new generation wearables.

At the 2013 RSA Conference, Google Vice President Vint Cerf gave a keynote about the Internet of Things where he envisaged all objects have their own private keys, so they could digitally sign and authenticate everything they did in the network. Cerf was thinking out loud, wondering what could be done capably. Well Lockstep Technologies figured that one out several years before, and we’ve been working to bring it to reality.

With multiple keys corresponding to respective relationships, my vision is that smart objects will automatically interact across a rich spectrum of contexts, with provenance and focus. A smart car, for instance, will be able to transmit just the specifics about its conditions (and its passengers!) to its various component vendors and service providers, the energy grid, regulators, other vehicles, insurers, license authorities and so on. (I gave a presentation to the 2015 Cloud Identity Summit about the need to “ration” identity data with connected cars and the whole Internet of Things.) Or a piece of medical equipment will be able to send differently authenticated private messages to the clinic, the doctor, researchers, different medical records services, billers, medical device regulators, and even medical social networks. Each message will be discrete, focused, and authentic without necessarily identifying the user, and de-linked from all the others.

5. I am curious to know why a project of this importance has not already been undertaken by a private or government entity. Other than the fact that DHS has decided to make this project a priority now, what if anything has kept it from being done earlier?

My theory is that PKI itself has been hampered for decades by the preoccupation with identity. When you aim for complete identity, you get complex policies and overheads. The same thinking has bogged down authentication standards.

For years we’ve thought about identity along one simplistic dimension—the “levels of assurance.” We tend to think of identity online in terms of good, better and best, or “anonymous,” “self- asserted” and “externally asserted.” It’s not a helpful paradigm, because it biases everyone towards more and more identification. It’s unreal.

“If we don’t get a whole lot smarter with authentication on the Internet of Things, separating all the different facts we need to know about devices and their users, then we may end up with ‘informatic grey goo’. I hope we can help stop that.”

We don’t, for example, judge professionals by grade of identity; someone is either a board certified cardiologist or not; another person is either a qualified teacher or they are not. And even if someone could be “perfectly” identified, you’re still left needing to know the specifics: What’s someone’s credit card number, or shipping address, or age, or employment status? It’s the attributes that really matter, not the person’s “true” identity.

Hence we see quite recent reforms, like the review of NIST’s levels of assurance standard SP-800-63. And the emergence of the much more subtle Vectors of Trust approach (VoT) which looks at the multidimensionality of people and entities. I see all these developments as part of a bigger truth that has taken years to emerge.

And just in time for the Internet of Things (IoT)! If we don’t get a whole lot smarter with authentication on the IoT, separating all the different facts we need to know about devices and their users, then we may end up with what I call “informatic grey goo.” I hope we can help stop that.